Skip to main content

Migrating VMs in Air-Gapped Environments: A Complete Guide

· 4 min read
HyperSDK Team
HyperSDK Team
Core Team

Air-gapped networks -- environments with no physical or logical connection to the internet -- present unique challenges for VM migration. Standard migration tools assume network connectivity for package downloads, driver repositories, and cloud API calls. HyperSDK was designed from the ground up to operate in fully disconnected environments, making it the platform of choice for government, defense, and compliance-restricted organizations.

What Air-Gap Means in Practice

An air-gapped network has no connection to the internet or to any untrusted network. This is not the same as a firewall-restricted network where outbound connections are blocked -- air-gap means there is no physical path for data to traverse. These environments are found in SCIFs (Sensitive Compartmented Information Facilities), classified defense networks, certain financial trading floors, and critical infrastructure control systems.

For VM migration, air-gap creates several immediate challenges. There is no access to package repositories (apt, yum, pip) for installing tools or dependencies. There is no access to driver download sites for VirtIO or guest agent packages. There is no access to cloud APIs for authentication or storage. There is no way to pull container images from registries. Every component needed for migration must be pre-staged on portable media and physically carried across the air gap.

How HyperSDK Handles Air-Gap Migration

HyperSDK's air-gap migration workflow operates in three stages, each designed for complete offline operation.

Stage 1: Offline Export. On the source network (typically a VMware vSphere environment), HyperSDK connects to vCenter using only local network access. VMs are exported to local storage with full manifest tracking. Each exported artifact -- disk image, configuration file, metadata -- receives a SHA-256 checksum. The export manifest records the operator identity, timestamp, source VM identifier, and hash of every file. No outbound network access is required.

Stage 2: Physical Transfer. Exported VM images are transferred to encrypted portable media. HyperSDK generates a chain-of-custody manifest that tracks every file from source to destination. The manifest includes tamper-evident digital signatures so that any modification during physical transport is detectable. Supported media includes encrypted USB drives, removable NVMe drives, and optical media for smaller workloads.

Stage 3: Offline Import. On the destination network, hyper2kvm reads exported images directly from the portable media. All conversion tools, VirtIO drivers, and guest OS fixup scripts are pre-packaged in the hyper2kvm installation -- nothing is downloaded at runtime. Disk images are converted from VMDK to qcow2, VirtIO drivers are injected, bootloaders are repaired, and the VM is deployed to libvirt. The entire process runs without a single DNS lookup.

FIPS and Compliance Considerations

Air-gapped environments typically operate under strict compliance frameworks. HyperSDK uses FIPS 140-2 compatible cryptographic modules for all hashing and signature operations. Audit logs are structured JSON, suitable for ingestion into SIEM platforms operating on the same air-gapped network. Every operation is logged with sufficient detail to satisfy NIST SP 800-53 audit requirements, including operator identification, action performed, objects affected, and result status.

Real-World Use Cases

We have deployed HyperSDK in air-gapped environments across several sectors: defense contractors migrating from VMware to KVM on classified networks, government agencies modernizing infrastructure in SCIF environments, energy companies migrating control systems on isolated OT networks, and maritime organizations operating on vessels with no satellite connectivity.

In each case, the key to success was pre-staging. All tools, drivers, and dependencies must be validated and packaged before they cross the air gap. HyperSDK provides a single self-contained package that includes everything needed for the complete migration pipeline. If your organization operates in a disconnected environment and needs to migrate VM workloads, contact our team to discuss your specific requirements.